Catering for multiple audiences
We've used the professionals' seminar as a donor to kick-start the staff and management seminars. Copying seminar slides into new templates and fiddling around with the layout and formatting is the easy bit: adapting the presentations to suit the different audiences takes a bit more thought.
Most managers are unlikely to have an interest in the techical details of email encryption, for instance, but they ought to appreciate that there are options in that regard, each having pros and cons for the organization. We need to give them just enough context and background to be able to take this up with their IT, risk and information security professionals - some questions to pose, perhaps, as well as a basic grounding in the concepts and terminology to facilitate meaningful communications. The awareness module will also contain management briefings, a sample policy and a paper on email and messaging security metrics, encouraging managers to contemplate the strategic, governance, compliance and other business aspects.
Managers also, of course, make good use of email and other business comms, which means they are users as well as managers of the associated technologies ... hence they need to be aware of the information risks and use the security controls themselves. Despite the title, awareness materials in the 'staff' stream are, in fact, aimed at all workers, not just staff, not even just employees: contractors, consultants, temps and others may well be using the organization's email, phone and other messaging systems routinely, and everyone has some level of access to corporate information, perhaps personal info too. We might have named it the 'users' stream, except that the term is strongly linked to IT (and drugs!) whereas information security is relevant to IT and non-IT users alike. Not everyone uses email or phones, but we all communicate.
Meanwhile, we have a little communications issue of our own. What are we going to call this awareness module? The working title "email and inter-personal messaging security" is unwieldy and a bit formal. "Helping people communicate securely" is more accessible but still not quite right. Hmmmmmm.